class NodeHistory(Base):
__tablename__ = "node_history"
uuid = Column(UUID(as_uuid=True),
primary_key=True,
server_default=func.gen_random_uuid())
action = relationship("NodeHistoryAction")
action_uuid = Column(UUID(as_uuid=True),
ForeignKey("node_history_action.uuid"))
action_user_uuid = Column(UUID(as_uuid=True), ForeignKey("user.uuid"))
action_user = relationship("User", foreign_keys=[action_user_uuid])
after = Column(JSONB)
before = Column(JSONB)
node_uuid = Column(UUID(as_uuid=True), ForeignKey("node.uuid"))
node = relationship("Node", foreign_keys=[node_uuid])
timestamp = Column(DateTime, server_default=utcnow())
class Event(Node):
__tablename__ = "event"
uuid = Column(UUID(as_uuid=True), ForeignKey("node.uuid"), primary_key=True)
alert_time = Column(DateTime(timezone=True))
alerts = relationship("Alert", primaryjoin="Alert.event_uuid == Event.uuid")
alert_uuids = association_proxy("alerts", "uuid")
contain_time = Column(DateTime(timezone=True))
creation_time = Column(DateTime(timezone=True), server_default=utcnow())
disposition_time = Column(DateTime(timezone=True))
event_time = Column(DateTime(timezone=True))
name = Column(String)
owner_uuid = Column(UUID(as_uuid=True), ForeignKey("user.uuid"), nullable=True)
owner = relationship("User", foreign_keys=[owner_uuid])
ownership_time = Column(DateTime(timezone=True))
prevention_tools = relationship("EventPreventionTool", secondary=event_prevention_tool_mapping)
remediation_time = Column(DateTime(timezone=True))
remediations = relationship("EventRemediation", secondary=event_remediation_mapping)
risk_level = relationship("EventRiskLevel")
risk_level_uuid = Column(UUID(as_uuid=True), ForeignKey("event_risk_level.uuid"))
source = relationship("EventSource")
source_uuid = Column(UUID(as_uuid=True), ForeignKey("event_source.uuid"))
status = relationship("EventStatus")
status_uuid = Column(UUID(as_uuid=True), ForeignKey("event_status.uuid"))
type = relationship("EventType")
type_uuid = Column(UUID(as_uuid=True), ForeignKey("event_type.uuid"))
vectors = relationship("EventVector", secondary=event_vector_mapping)
__mapper_args__ = {
"polymorphic_identity": "event",
}
class ObservableInstance(Node):
__tablename__ = "observable_instance"
uuid = Column(UUID(as_uuid=True),
ForeignKey("node.uuid"),
primary_key=True)
alert_uuid = Column(UUID(as_uuid=True), ForeignKey("alert.uuid"))
alert = relationship("Alert", foreign_keys=[alert_uuid])
context = Column(String)
observable_uuid = Column(UUID(as_uuid=True),
ForeignKey("observable.uuid"),
nullable=False)
observable = relationship("Observable", foreign_keys=[observable_uuid])
parent_analysis = relationship(
"Analysis",
secondary=analysis_observable_instance_mapping,
uselist=False)
parent_analysis_uuid = association_proxy("parent_analysis", "uuid")
performed_analyses = relationship(
"Analysis", secondary=observable_instance_analysis_mapping)
performed_analysis_uuids = association_proxy("performed_analyses", "uuid")
redirection_uuid = Column(UUID(as_uuid=True),
ForeignKey("observable_instance.uuid"))
redirection = relationship("ObservableInstance",
foreign_keys=[redirection_uuid],
uselist=False)
time = Column(DateTime(timezone=True),
server_default=utcnow(),
nullable=False)
__mapper_args__ = {
"polymorphic_identity": "observable_instance",
}
class NodeComment(Base):
__tablename__ = "node_comment"
uuid = Column(UUID(as_uuid=True), primary_key=True, server_default=func.gen_random_uuid())
insert_time = Column(DateTime, server_default=utcnow())
node_uuid = Column(UUID(as_uuid=True), ForeignKey("node.uuid"), index=True)
user_uuid = Column(UUID(as_uuid=True), ForeignKey("user.uuid"))
user = relationship("User", foreign_keys=[user_uuid])
value = Column(String, nullable=False)
__table_args__ = (
Index(
"comment_value_trgm",
value,
postgresql_ops={"value": "gin_trgm_ops"},
postgresql_using="gin",
),
UniqueConstraint("node_uuid", "value", name="node_value_uc"),
)
class Alert(Node):
__tablename__ = "alert"
uuid = Column(UUID(as_uuid=True), ForeignKey("node.uuid"), primary_key=True)
analysis_uuid = Column(UUID(as_uuid=True), ForeignKey("analysis.uuid"), nullable=False, unique=True)
analysis = relationship("Analysis", foreign_keys=[analysis_uuid])
description = Column(String)
disposition = relationship("AlertDisposition")
disposition_uuid = Column(UUID(as_uuid=True), ForeignKey("alert_disposition.uuid"), index=True)
disposition_time = Column(DateTime(timezone=True), index=True)
disposition_user_uuid = Column(UUID(as_uuid=True), ForeignKey("user.uuid"), index=True)
disposition_user = relationship("User", foreign_keys=[disposition_user_uuid])
event_time = Column(DateTime(timezone=True), server_default=utcnow(), nullable=False, index=True)
event_uuid = Column(UUID(as_uuid=True), ForeignKey("event.uuid"), index=True)
event = relationship("Event", foreign_keys=[event_uuid])
insert_time = Column(DateTime(timezone=True), server_default=utcnow(), nullable=False, index=True)
instructions = Column(String)
name = Column(String)
owner_uuid = Column(UUID(as_uuid=True), ForeignKey("user.uuid"), index=True)
owner = relationship("User", foreign_keys=[owner_uuid])
queue = relationship("AlertQueue")
queue_uuid = Column(UUID(as_uuid=True), ForeignKey("alert_queue.uuid"), nullable=False, index=True)
tool = relationship("AlertTool")
tool_uuid = Column(UUID(as_uuid=True), ForeignKey("alert_tool.uuid"), index=True)
tool_instance = relationship("AlertToolInstance")
tool_instance_uuid = Column(UUID(as_uuid=True), ForeignKey("alert_tool_instance.uuid"), index=True)
type = relationship("AlertType")
type_uuid = Column(UUID(as_uuid=True), ForeignKey("alert_type.uuid"), nullable=False, index=True)
__mapper_args__ = {
"polymorphic_identity": "alert",
}
# TODO: We need a lot more indices here for when we introduce searching API endpoints.
__table_args__ = (
Index(
"name_trgm",
name,
postgresql_ops={"name": "gin_trgm_ops"},
postgresql_using="gin",
),
)